I have a big problem right now with a game I made. we're keeping scores
on the matches and there a re several people running scripts that inject
scores into the database.
I have looked for the past 2 days for a way to protect against this, but in
all pages I've found how to protect against html code injection, but not
how to protect agains someone making a form and sending the parameters
needed for the script to work.
I currently check for time interval so that you cannot run the script more
than once per minute.
But I just can't seem to find how to check if the call is being made form
the actual game.
Plus I imagine it's a form running a javascript that sends submits the form
once after every minute and something, but I can't say for sure that's what
they are doing. I just see that the matches stored in the database are just
impossible. the have a match every minute and ten seconds or so. or every
other minute the whole day, continuouslly. it has got to be a robot right?
I tried using info form $_server[] but didn't find something that works.
the call is made from a flash game and received by php.
In terms of the other stuff, is this a flash game? If so you could pass data in binary AMF. This isn't "secure" but a bot would need to know how to do a lot more than simple http post and would prevent most of this. You could also pass in the high score variable name for every game, if this variable is changing it will be hard for the bot to know where to post to. This might be easier to get around because they could figure out where the variable is coming from but takes more work. You could also setup a server side socket and stream the high scores, if the connection to the socket is secure nothing but what is approved to connect would be able to post. This is more complicated but gives you a few options.
I might just start with the simplest and see if that fixes for issue with the bot, as long as you can scare away the people that are doing this you won't have an issue.
-Tyler
On Oct 10, 2012, at 10:39 AM, Newen Fara <00ne...@gmail.com> wrote:
> I have a big problem right now with a game I made. we're keeping scores on the matches and there a re several people running scripts that inject scores into the database.
> I have looked for the past 2 days for a way to protect against this, but in all pages I've found how to protect against html code injection, but not how to protect agains someone making a form and sending the parameters needed for the script to work.
> I currently check for time interval so that you cannot run the script more than once per minute.
> But I just can't seem to find how to check if the call is being made form the actual game.
> Plus I imagine it's a form running a javascript that sends submits the form once after every minute and something, but I can't say for sure that's what they are doing. I just see that the matches stored in the database are just impossible. the have a match every minute and ten seconds or so. or every other minute the whole day, continuouslly. it has got to be a robot right?
> I tried using info form $_server[] but didn't find something that works.
> the call is made from a flash game and received by php.
> -- > You received this message because you are subscribed to the Google Groups "FlashCodersNY" group.
> To post to this group, send email to flashcodersny@googlegroups.com.
> To unsubscribe from this group, send email to flashcodersny+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/flashcodersny?hl=en.
Could you have the game authenticate itself before accepting scores?
Server sends a challenge key, game sends back an encrypted value according
to a hard-wired algorithm. Server verifies that string is correct by
decrypting the value. You could incorporate the scores themselves into the
value, and send the string along with scores, and reject them if it doesn't
match.
Or perhaps it's not even hard-wired, but also supplied by the server.
Perhaps the encryption algorithm could be binary as Tyler describes. This
would be vulnerable to reverse engineering of your swf, but it would make
things more difficult for the hackers. The idea isn't to make it
unbeatable, but to make it not worth the effort.
On Wed, Oct 10, 2012 at 11:06 AM, Tyler Larson <tallty...@gmail.com> wrote:
> Find the ip address from the robot and block them with something like this
> http://httpd.apache.org/docs/2.2/howto/access.html > $_SERVER['REMOTE_ADDR'] should give you the persons IP address I think.
> In terms of the other stuff, is this a flash game? If so you could pass
> data in binary AMF. This isn't "secure" but a bot would need to know how to
> do a lot more than simple http post and would prevent most of this. You
> could also pass in the high score variable name for every game, if this
> variable is changing it will be hard for the bot to know where to post to.
> This might be easier to get around because they could figure out where the
> variable is coming from but takes more work.
> You could also setup a server side socket and stream the high scores, if
> the connection to the socket is secure nothing but what is approved to
> connect would be able to post. This is more complicated but gives you a few
> options.
> I might just start with the simplest and see if that fixes for issue with
> the bot, as long as you can scare away the people that are doing this you
> won't have an issue.
> -Tyler
> On Oct 10, 2012, at 10:39 AM, Newen Fara <00ne...@gmail.com> wrote:
> Hello gang.
> I have a big problem right now with a game I made. we're keeping scores
> on the matches and there a re several people running scripts that inject
> scores into the database.
> I have looked for the past 2 days for a way to protect against this, but
> in all pages I've found how to protect against html code injection, but not
> how to protect agains someone making a form and sending the parameters
> needed for the script to work.
> I currently check for time interval so that you cannot run the script more
> than once per minute.
> But I just can't seem to find how to check if the call is being made form
> the actual game.
> Plus I imagine it's a form running a javascript that sends submits the
> form once after every minute and something, but I can't say for sure that's
> what they are doing. I just see that the matches stored in the database are
> just impossible. the have a match every minute and ten seconds or so. or
> every other minute the whole day, continuouslly. it has got to be a robot
> right?
> I tried using info form $_server[] but didn't find something that works.
> the call is made from a flash game and received by php.
> --
> You received this message because you are subscribed to the Google Groups
> "FlashCodersNY" group.
> To post to this group, send email to flashcodersny@googlegroups.com.
> To unsubscribe from this group, send email to
> flashcodersny+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/flashcodersny?hl=en.
> --
> You received this message because you are subscribed to the Google Groups
> "FlashCodersNY" group.
> To post to this group, send email to flashcodersny@googlegroups.com.
> To unsubscribe from this group, send email to
> flashcodersny+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/flashcodersny?hl=en.
This is pretty much what I was going to suggest. Have the server send
a key to the game over binary protocol, and combine that with the
score data and do a checksum like MD5 or sha1. Both of these and more
are in the core lib provided by Adobe:
https://github.com/mikechambers/as3corelib/tree/master/src/com/adobe/... (md5 and sha1 are also available in php4+)
Then send the encrypted value to the server where it will be checked
for tampering (by calculating the same checksum there)
As has been said, no system is impossible to hack (maybe until we get
quantum entanglement messaging under control ;-)
but this should make it difficult enough to discourage this type of hacking.
On Wed, Oct 10, 2012 at 11:48 AM, Xo <rend...@gmail.com> wrote:
> Could you have the game authenticate itself before accepting scores? Server
> sends a challenge key, game sends back an encrypted value according to a
> hard-wired algorithm. Server verifies that string is correct by decrypting
> the value. You could incorporate the scores themselves into the value, and
> send the string along with scores, and reject them if it doesn't match.
> Or perhaps it's not even hard-wired, but also supplied by the server.
> Perhaps the encryption algorithm could be binary as Tyler describes. This
> would be vulnerable to reverse engineering of your swf, but it would make
> things more difficult for the hackers. The idea isn't to make it
> unbeatable, but to make it not worth the effort.
> On Wed, Oct 10, 2012 at 11:06 AM, Tyler Larson <tallty...@gmail.com> wrote:
>> Find the ip address from the robot and block them with something like this
>> http://httpd.apache.org/docs/2.2/howto/access.html >> $_SERVER['REMOTE_ADDR'] should give you the persons IP address I think.
>> In terms of the other stuff, is this a flash game? If so you could pass
>> data in binary AMF. This isn't "secure" but a bot would need to know how to
>> do a lot more than simple http post and would prevent most of this. You
>> could also pass in the high score variable name for every game, if this
>> variable is changing it will be hard for the bot to know where to post to.
>> This might be easier to get around because they could figure out where the
>> variable is coming from but takes more work.
>> You could also setup a server side socket and stream the high scores, if
>> the connection to the socket is secure nothing but what is approved to
>> connect would be able to post. This is more complicated but gives you a few
>> options.
>> I might just start with the simplest and see if that fixes for issue with
>> the bot, as long as you can scare away the people that are doing this you
>> won't have an issue.
>> -Tyler
>> On Oct 10, 2012, at 10:39 AM, Newen Fara <00ne...@gmail.com> wrote:
>> Hello gang.
>> I have a big problem right now with a game I made. we're keeping scores
>> on the matches and there a re several people running scripts that inject
>> scores into the database.
>> I have looked for the past 2 days for a way to protect against this, but
>> in all pages I've found how to protect against html code injection, but not
>> how to protect agains someone making a form and sending the parameters
>> needed for the script to work.
>> I currently check for time interval so that you cannot run the script more
>> than once per minute.
>> But I just can't seem to find how to check if the call is being made form
>> the actual game.
>> Plus I imagine it's a form running a javascript that sends submits the
>> form once after every minute and something, but I can't say for sure that's
>> what they are doing. I just see that the matches stored in the database are
>> just impossible. the have a match every minute and ten seconds or so. or
>> every other minute the whole day, continuouslly. it has got to be a robot
>> right?
>> I tried using info form $_server[] but didn't find something that works.
>> the call is made from a flash game and received by php.
>> --
>> You received this message because you are subscribed to the Google Groups
>> "FlashCodersNY" group.
>> To post to this group, send email to flashcodersny@googlegroups.com.
>> To unsubscribe from this group, send email to
>> flashcodersny+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/flashcodersny?hl=en.
>> --
>> You received this message because you are subscribed to the Google Groups
>> "FlashCodersNY" group.
>> To post to this group, send email to flashcodersny@googlegroups.com.
>> To unsubscribe from this group, send email to
>> flashcodersny+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/flashcodersny?hl=en.
> --
> You received this message because you are subscribed to the Google Groups
> "FlashCodersNY" group.
> To post to this group, send email to flashcodersny@googlegroups.com.
> To unsubscribe from this group, send email to
> flashcodersny+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/flashcodersny?hl=en.
> This is pretty much what I was going to suggest. Have the server send
> a key to the game over binary protocol, and combine that with the
> score data and do a checksum like MD5 or sha1. Both of these and more
> are in the core lib provided by Adobe:
> https://github.com/mikechambers/as3corelib/tree/master/src/com/adobe/... > (md5 and sha1 are also available in php4+)
> Then send the encrypted value to the server where it will be checked
> for tampering (by calculating the same checksum there)
> As has been said, no system is impossible to hack (maybe until we get
> quantum entanglement messaging under control ;-)
> but this should make it difficult enough to discourage this type of hacking.
> Regards,
> Hudson
> On Wed, Oct 10, 2012 at 11:48 AM, Xo <rend...@gmail.com> wrote:
>> Could you have the game authenticate itself before accepting scores? Server
>> sends a challenge key, game sends back an encrypted value according to a
>> hard-wired algorithm. Server verifies that string is correct by decrypting
>> the value. You could incorporate the scores themselves into the value, and
>> send the string along with scores, and reject them if it doesn't match.
>> Or perhaps it's not even hard-wired, but also supplied by the server.
>> Perhaps the encryption algorithm could be binary as Tyler describes. This
>> would be vulnerable to reverse engineering of your swf, but it would make
>> things more difficult for the hackers. The idea isn't to make it
>> unbeatable, but to make it not worth the effort.
>> On Wed, Oct 10, 2012 at 11:06 AM, Tyler Larson <tallty...@gmail.com> wrote:
>>> Find the ip address from the robot and block them with something like this
>>> http://httpd.apache.org/docs/2.2/howto/access.html >>> $_SERVER['REMOTE_ADDR'] should give you the persons IP address I think.
>>> In terms of the other stuff, is this a flash game? If so you could pass
>>> data in binary AMF. This isn't "secure" but a bot would need to know how to
>>> do a lot more than simple http post and would prevent most of this. You
>>> could also pass in the high score variable name for every game, if this
>>> variable is changing it will be hard for the bot to know where to post to.
>>> This might be easier to get around because they could figure out where the
>>> variable is coming from but takes more work.
>>> You could also setup a server side socket and stream the high scores, if
>>> the connection to the socket is secure nothing but what is approved to
>>> connect would be able to post. This is more complicated but gives you a few
>>> options.
>>> I might just start with the simplest and see if that fixes for issue with
>>> the bot, as long as you can scare away the people that are doing this you
>>> won't have an issue.
>>> -Tyler
>>> On Oct 10, 2012, at 10:39 AM, Newen Fara <00ne...@gmail.com> wrote:
>>> Hello gang.
>>> I have a big problem right now with a game I made. we're keeping scores
>>> on the matches and there a re several people running scripts that inject
>>> scores into the database.
>>> I have looked for the past 2 days for a way to protect against this, but
>>> in all pages I've found how to protect against html code injection, but not
>>> how to protect agains someone making a form and sending the parameters
>>> needed for the script to work.
>>> I currently check for time interval so that you cannot run the script more
>>> than once per minute.
>>> But I just can't seem to find how to check if the call is being made form
>>> the actual game.
>>> Plus I imagine it's a form running a javascript that sends submits the
>>> form once after every minute and something, but I can't say for sure that's
>>> what they are doing. I just see that the matches stored in the database are
>>> just impossible. the have a match every minute and ten seconds or so. or
>>> every other minute the whole day, continuouslly. it has got to be a robot
>>> right?
>>> I tried using info form $_server[] but didn't find something that works.
>>> the call is made from a flash game and received by php.
>>> Any hint or suggestion is greatly apreciated.
>>> CheerS!
>>> --
>>> Newen, the guy with blue hair.
>>> www.vrolfak.com
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "FlashCodersNY" group.
>>> To post to this group, send email to flashcodersny@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> flashcodersny+unsubscribe@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/flashcodersny?hl=en.
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "FlashCodersNY" group.
>>> To post to this group, send email to flashcodersny@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> flashcodersny+unsubscribe@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/flashcodersny?hl=en.
>> --
>> You received this message because you are subscribed to the Google Groups
>> "FlashCodersNY" group.
>> To post to this group, send email to flashcodersny@googlegroups.com.
>> To unsubscribe from this group, send email to
>> flashcodersny+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/flashcodersny?hl=en.
On Wed, Oct 10, 2012 at 11:19 AM, Brian Wane <bpw...@smerc.com> wrote:
> Yes. This is what we do. Works well. Also helps protect games from being
> stolen.
> On 10/10/2012 12:04 PM, Hudson Ansley wrote:
> This is pretty much what I was going to suggest. Have the server send
> a key to the game over binary protocol, and combine that with the
> score data and do a checksum like MD5 or sha1. Both of these and more
> are in the core lib provided by Adobe:https://github.com/mikechambers/as3corelib/tree/master/src/com/adobe/... > (md5 and sha1 are also available in php4+)
> Then send the encrypted value to the server where it will be checked
> for tampering (by calculating the same checksum there)
> As has been said, no system is impossible to hack (maybe until we get
> quantum entanglement messaging under control ;-)
> but this should make it difficult enough to discourage this type of hacking.
> Regards,
> Hudson
> On Wed, Oct 10, 2012 at 11:48 AM, Xo <rend...@gmail.com> <rend...@gmail.com> wrote:
> Could you have the game authenticate itself before accepting scores? Server
> sends a challenge key, game sends back an encrypted value according to a
> hard-wired algorithm. Server verifies that string is correct by decrypting
> the value. You could incorporate the scores themselves into the value, and
> send the string along with scores, and reject them if it doesn't match.
> Or perhaps it's not even hard-wired, but also supplied by the server.
> Perhaps the encryption algorithm could be binary as Tyler describes. This
> would be vulnerable to reverse engineering of your swf, but it would make
> things more difficult for the hackers. The idea isn't to make it
> unbeatable, but to make it not worth the effort.
> On Wed, Oct 10, 2012 at 11:06 AM, Tyler Larson <tallty...@gmail.com> <tallty...@gmail.com> wrote:
> Find the ip address from the robot and block them with something like thishttp://httpd.apache.org/docs/2.2/howto/access.html > $_SERVER['REMOTE_ADDR'] should give you the persons IP address I think.
> In terms of the other stuff, is this a flash game? If so you could pass
> data in binary AMF. This isn't "secure" but a bot would need to know how to
> do a lot more than simple http post and would prevent most of this. You
> could also pass in the high score variable name for every game, if this
> variable is changing it will be hard for the bot to know where to post to.
> This might be easier to get around because they could figure out where the
> variable is coming from but takes more work.
> You could also setup a server side socket and stream the high scores, if
> the connection to the socket is secure nothing but what is approved to
> connect would be able to post. This is more complicated but gives you a few
> options.
> I might just start with the simplest and see if that fixes for issue with
> the bot, as long as you can scare away the people that are doing this you
> won't have an issue.
> -Tyler
> On Oct 10, 2012, at 10:39 AM, Newen Fara <00ne...@gmail.com> <00ne...@gmail.com> wrote:
> Hello gang.
> I have a big problem right now with a game I made. we're keeping scores
> on the matches and there a re several people running scripts that inject
> scores into the database.
> I have looked for the past 2 days for a way to protect against this, but
> in all pages I've found how to protect against html code injection, but not
> how to protect agains someone making a form and sending the parameters
> needed for the script to work.
> I currently check for time interval so that you cannot run the script more
> than once per minute.
> But I just can't seem to find how to check if the call is being made form
> the actual game.
> Plus I imagine it's a form running a javascript that sends submits the
> form once after every minute and something, but I can't say for sure that's
> what they are doing. I just see that the matches stored in the database are
> just impossible. the have a match every minute and ten seconds or so. or
> every other minute the whole day, continuouslly. it has got to be a robot
> right?
> I tried using info form $_server[] but didn't find something that works.
> the call is made from a flash game and received by php.
> --
> You received this message because you are subscribed to the Google Groups
> "FlashCodersNY" group.
> To post to this group, send email to flashcodersny@googlegroups.com.
> To unsubscribe from this group, send email toflashcodersny+unsubscribe@googlegroups.com.
> For more options, visit this group athttp://groups.google.com/group/flashcodersny?hl=en.
> --
> You received this message because you are subscribed to the Google Groups
> "FlashCodersNY" group.
> To post to this group, send email to flashcodersny@googlegroups.com.
> To unsubscribe from this group, send email toflashcodersny+unsubscribe@googlegroups.com.
> For more options, visit this group athttp://groups.google.com/group/flashcodersny?hl=en.
> --
> You received this message because you are subscribed to the Google Groups
> "FlashCodersNY" group.
> To post to this group, send email to flashcodersny@googlegroups.com.
> To unsubscribe from this group, send email toflashcodersny+unsubscribe@googlegroups.com.
> For more options, visit this group athttp://groups.google.com/group/flashcodersny?hl=en.
> --
> You received this message because you are subscribed to the Google Groups
> "FlashCodersNY" group.
> To post to this group, send email to flashcodersny@googlegroups.com.
> To unsubscribe from this group, send email to
> flashcodersny+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/flashcodersny?hl=en.
